This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

x-forwarded-for header parsing.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

x-forwarded-for header parsing.

Go to solution
Bart_Jocque
L3 Networker

‎01-22-2013 06:17 AM

With the command "set system setting ctd x-forwarded-for yes" the x-forwarded-for header is parsed to populate the source.user field in the logs.

However, which exact header is actually being parsed with this command?

Is it "x-forwarded-for"  ? ( according to the CLI guide)

Or is it "x-fwd-for" ? (according to the KB article)

or both ?

Can it be changed ?

How  ?

Thanks,

Bart

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
dyang
L5 Sessionator

‎03-27-2013 12:17 AM

The HTTP header is "X-Forwarded-For" , as noted in the Admin and CLI guides.  If you provide me a link to the KB article in question, I can have it updated.  My guess is that someone shortened it to "x-fwd-for" because it's easier to type.  Smiley Wink

--Doris

View solution in original post

0 Likes Likes
10 REPLIES 10

Go to solution
Bart_Jocque
L3 Networker

‎01-30-2013 02:10 AM

anyone ?

0 Likes Likes

Go to solution
mikand
L6 Presenter
In response to Bart_Jocque

‎03-27-2013 12:13 AM

Would be great if someone from PA could answer Smiley Happy

0 Likes Likes

Go to solution
dyang
L5 Sessionator

‎03-27-2013 12:17 AM

The HTTP header is "X-Forwarded-For" , as noted in the Admin and CLI guides.  If you provide me a link to the KB article in question, I can have it updated.  My guess is that someone shortened it to "x-fwd-for" because it's easier to type.  Smiley Wink

--Doris

0 Likes Likes

Go to solution
mikand
L6 Presenter
In response to dyang

‎03-27-2013 12:28 AM

I guess its

Also, looking in the CLI guide there is both:

set deviceconfig setting ctd x-forwarded-for yes

set system setting ctd x-forwarded-for yes

Whats the difference of the above (perhaps it could be described in the KB aswell)?

0 Likes Likes

Go to solution
dyang
L5 Sessionator
In response to mikand

‎03-27-2013 01:33 PM

There is no difference between the two commands - they do exactly the same thing.  We most likely will not remove the duplicate command since it may cause migration issues.

Thanks,

Doris

Go to solution
Bart_Jocque
L3 Networker
In response to dyang

‎04-16-2013 04:54 AM

I still didn't manage to get this working in our lab infra :

admin@lab01(active)> show system setting ctd state

Notify user for APP block     : no

Alternative AHO               : no

Skip CTD                      : no

Parse x-forwarded-for         : yes

Strip x-fwd-for               : no

Bloom Filter                  : yes

HTTP Proxy Use Transaction    : yes

Enable Regex Statistics       : no

URL Category Query Timeout    : 5

Bypass when exceeds queue limit: yes

packets queued for packet capture: 5

whether to do packet capture after: yes

max. loop for packets processing: 1024

Not to Block HTTP Range request: yes

CTD ID                        : 1

CTD Allocator Usage           : 92%(44 MB)

AHO Allocator Usage           : 87%(97 MB)

Packet capture of a GET request:

GET http://www.microsoft.com/ HTTP/1.1

Host: www.microsoft.com

Pragma: no-cache

Cache-Control: no-cache

X-Forwarded-For: 10.255.224.130

Proxy-Connection: Keep-Alive

X-BlueCoat-Via: 36967894f0722148

I have also enabled user-id on the incoming zone.

That should be all to get thos working according to the DOC.

What else could be wrong ?

0 Likes Likes

Go to solution
emr_1
L5 Sessionator
In response to Bart_Jocque

‎04-16-2013 06:21 AM

I think this only works with URL filtering log.

Are you trying to parse in traffic log?

Regards,

0 Likes Likes

Go to solution
Bart_Jocque
L3 Networker
In response to emr_1

‎04-16-2013 08:00 AM

Yes indeed I was looking into the traffic logs. There is no url filtering on this box.

Can someone of PA confirm that this is only working url filtering logs ?

0 Likes Likes

Go to solution
Bart_Jocque
L3 Networker
In response to Bart_Jocque

‎04-16-2013 08:10 AM

Thanks emr,

I found indeed the answer here : https://live.paloaltonetworks.com/docs/DOC-1528

0 Likes Likes

Go to solution
dyang
L5 Sessionator
In response to Bart_Jocque

‎04-16-2013 08:56 AM

Looks like you found what you're looking for, but just in case you need further validation, the X-Forwarded-For parsing feature is only applicable to the URL filtering logs.  If you do not have a URL filtering license, you can still use the allow/block list as well as the custom categories, so you can use those to generate logs and parse the X-Forwarded-For field as indicated above.

  • 1 accepted solution
  • 9739 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks